Criminals often rely on tricking their victims to gain access to their passwords and other account information. This act of tricking is called social engineering, also known as a confidence crime, and it comes in many forms.
- A type of phishing e-mail where the criminal targets someone specific is called spearphishing. The spearphishing e-mail will look very much like the typical company e-mail that the real person uses.
- Example: The thief sends a trick e-mail (phishing) to a company employee he found on LinkedIn, making it appear to be from the company’s CEO or some other higher-up. The “CEO” requests sensitive information (like a password) or a wire transfer.
- The phone is used for phishing (vishing) in a similar manner. A vish is a combo voicemail and phishing.
- A fake invoice is sent to a company, mimicking ones that the business’s actual vendor routinely sends, requesting payment. Or it may look like any vendor that the company possibly does business with. Accounting often pays the fake invoice.
- Finder’s keepers finder’s weepers: The crook leaves a USB drive lying around, hoping someone will find it and greedily insert it into their computer, during which it will then unleash malware.
- Impersonating a vendor or other employee in person to gain access to a business.
Don’t Take the Bait
- Any time someone calls, you receive an email, someone comes in your office, or the door bell rings, be aware they may have scammy intentions.
- All bank accounts should have two-factor authentication. Even if passwords are compromised, this can prevent scammer account access.
- Train employees to be extremely judicious in what they post on social media such as the nickname of the company CEO.
- Never click links inside e-mails. Phishing specialists want you to click on links which will download a virus.
- Requests for money transfers or handing over sensitive data must be verified by the person making the request—in person or over the phone. Never hit the “reply” button.
- Money transfers should require two signatures.
- Free web-based e-mail needs two factor authentication.
- Vigorously train employees to recognize phishing maneuvers. This includes catching any anomalous features of e-mails supposedly sent by the CEO or other key figures in the company. Staged phishing e-mails should be regularly sent to see who falls for the bait.
- Examples of anomalous behaviors: The CEO suddenly wants to be contacted via a new e-mail, or suddenly her e-mail signature is different (“Kathy” instead of “Kathi”). Another suspicious change is that a CEO, for instance, suddenly signs off with “Sincerely,” when for years he’s been signing off with “Best.”
- Uncharacteristic behaviors may also occur with vendors (crooks posing as a longtime vendor).
Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.
ROBERT SICILIANO, CEO of IDTheftSecurity.com is fiercely committed to informing, educating, and empowering Americans so they can be protected from violence and crime in the physical and virtual worlds. His "tell it like it is" style is sought after by major media outlets, executives in the C-Suite of leading corporations, meeting planners, and community leaders to get the straight talk they need to stay safe in a world in which physical and virtual crime is commonplace. Siciliano is accessible, real, professional, and ready to weigh in and comment at a moment's notice on breaking news.
- Why You should file your Tax Return Yesterday
Someone else might file your taxes if you don’t get to it. And they won’t be doing it as a favor; they’ll be doing it to steal your identity. Here’s how it works: Cyber thieves send fraudulent e-mails to a business’s employees. The e-mails are designed to look like they came from the big wigs at the company. As
- Phishing works and here’s why
A phishing e-mail is sent by a cyberthief to trick its recipient into revealing sensitive information so that the crook could steal money from the recipient or gain access to a business’s classified information. One way to lure an employee is for the crook to make the e-mail appear like it was sent by the
- Security Appreciation lacking
What’s it gonna take for companies to crack down on their cybersecurity? What’s holding them back? Why do we keep hearing about one company data breach after another? Well, there’s just not enough IT talent going around. The irony is that most company higher-ups admit that cybersecurity is very important and can even name specific situations
- Inside the Business E-mail Compromise Scam
Trick e-mail = fraudulent wire transfer = hundreds of thousands to millions of dollars stolen. That’s what’s happening with business executives in select industries (e.g., chemical operations, manufacturing), says a report at threatpost.com, citing a finding from Dell SecureWorks. The phishing e-mails are part of those Nigerian scams you’ve heard so much about, a business e-mail compromise
- Finding out which Employees keep clicking on Phishing E-mails
You have the best IT security, but dang it…the bad guys keep getting in. This means someone inside your house keeps opening the back door and letting the thieves slip inside. You have to find out who this enabler in your company is, and it may be more than one. They don’t know they’re letting in